Documentation
Continue with Meimo — API reference
Quick start
- Register your organization and complete business verification.
- Create an application from your dashboard — you'll receive a
client_idandclient_secret. - Redirect users to
app.meimoid.com/oauth-authorizewith your parameters. - Exchange the returned code for tokens at
POST /v1/oauth/token.
Authorization flow
Standard OAuth 2.0 authorization code grant with PKCE (S256 only — plain is not accepted).
# 1. Redirect the user's browser GET https://app.meimoid.com/oauth-authorize ?response_type=code&client_id=...&redirect_uri=... &scope=identity+profile+phone&state=... &code_challenge=...&code_challenge_method=S256 # 2. User approves. Browser is redirected back: GET https://yourapp.com/callback?code=AUTH_CODE&state=... # 3. Your backend exchanges the code (server-to-server): POST https://api.meimoid.com/v1/oauth/token Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=AUTH_CODE &redirect_uri=https://yourapp.com/callback &client_id=...&client_secret=... &code_verifier=... # 4. Fetch claims: GET https://api.meimoid.com/v1/oauth/userinfo Authorization: Bearer ACCESS_TOKEN
Endpoints
GET
/v1/oauth/clients/:clientIdPublic application info (name, organization, requested scopes) — used to render the consent screen before the user does anything.
Auth: None
POST
/v1/oauth/tokenServer-to-server code/refresh-token exchange. Called by your backend, never the browser.
Auth: client_id + client_secret
GET
/v1/oauth/userinfoReturns the claims granted at consent. Filtered strictly by the scopes actually approved — never more.
Auth: Bearer access_token
GET
/v1/oauth/pictureThe URL returned in userinfo's picture claim — the user's live-captured profile photo, as bytes.
Auth: Bearer access_token
Error codes
| Code | Meaning |
|---|---|
| invalid_request | A required parameter is missing or malformed. |
| access_denied | The user declined consent. |
| invalid_grant | The authorization code is invalid, expired, or already used — codes are single-use. |
| invalid_client | client_id/client_secret don't match a registered, non-revoked application. |